7 Identify, prescribe, and resolve common switched network media issues, configuration issues, auto negotiation, and switch hardware failures

85711.book Page 100 Thursday, September 27, 2007 10:35 AM



100



Chapter 2



Configure, verify, and troubleshoot a switch with VLANs



Exam Objectives

Remember how the system LED responds when the post test runs. If you boot a switch and the

POST completes successfully, the system LED turns green; if the POST fails, it will turn amber.

Remember how the system LED responds if there are errors on a switch port A switch

port will turn from green to amber when the port experiences errors.



2.8 Describe enhanced switching

technologies (including: VTP, RSTP,

VLAN, PVSTP, 802.1q)

The basic goals of VLAN Trunking Protocol (VTP) are to manage all configured VLANs

across a switched internetwork and to maintain consistency throughout that network. VTP

allows you to add, delete, and rename VLANs—information that is then propagated to all

other switches in the VTP domain.

Here’s a list of some of the cool features VTP has to offer:

Consistent VLAN configuration across all switches in the network

VLAN trunking over mixed networks, such as Ethernet to ATM LANE or even FDDI

Accurate tracking and monitoring of VLANs

Dynamic reporting of added VLANs to all switches in the VTP domain

Plug and Play VLAN adding

Very nice, but before you can get VTP to manage your VLANs across the network, you

have to create a VTP server. All servers that need to share VLAN information must use the

same domain name, and a switch can be in only one domain at a time. ,So, basically, this

means that a switch can only share VTP domain information with other switches if they’re

configured into the same VTP domain. You can use a VTP domain if you have more than one

switch connected in a network, but if you’ve got all your switches in only one VLAN, you just

don’t need to use VTP. Do keep in mind that VTP information is sent between switches only

via a trunk port.

Switches advertise VTP management domain information as well as a configuration revision number and all known VLANs with any specific parameters. But there’s also something

called VTP transparent mode. In it, you can configure switches to forward VTP information

through trunk ports but not to accept information updates or update their VTP databases.

If you’ve got sneaky users adding switches to your VTP domain behind your back, you can

include passwords, but don’t forget—every switch must be set up with the same password.

And as you can imagine, this little snag can be a real hassle administratively!

Switches detect any added VLANs within a VTP advertisement, then prepare to send information on their trunk ports with the newly defined VLAN in tow. Updates are sent out as revision



85711.book Page 101 Thursday, September 27, 2007 10:35 AM



2.8 Describe enhanced switching technologies



101



numbers that consist of the notification plus 1. Anytime a switch sees a higher revision number, it

knows the information it’s getting is more current, so it will overwrite the existing database with

the latest information.

You should know these three requirements for VTP to communicate VLAN information

between switches:

The VTP management domain name of both switches must be set the same.

One of the switches has to be configured as a VTP server.

No router is necessary.

Now that you’ve got that down, we’re going to delve deeper in the world of VTP with

VTP modes and VTP pruning.



VTP Modes of Operation

Figure 2.18 shows you all three different modes of operation within a VTP domain:

Server This is the default mode for all Catalyst switches. You need at least one server in your

VTP domain to propagate VLAN information throughout that domain. Also important: The

switch must be in server mode to be able to create, add, and delete VLANs in a VTP domain.

VTP information has to be changed in server mode, and any change made to a switch in server

mode will be advertised to the entire VTP domain. In VTP server mode, VLAN configurations

are saved in NVRAM.

Client In client mode, switches receive information from VTP servers, but they also send and

receive updates, so in this way, they behave like VTP servers. The difference is that they can’t

create, change, or delete VLANs. Plus, none of the ports on a client switch can be added to a

new VLAN before the VTP server notifies the client switch of the new VLAN. Also good to

know is that VLAN information sent from a VTP server isn’t stored in NVRAM, which is

important because it means that if the switch is reset or reloaded, the VLAN information will

be deleted. Here’s a hint: If you want a switch to become a server, first make it a client so it

receives all the correct VLAN information, then change it to a server—so much easier!

So basically, a switch in VTP client mode will forward VTP summary advertisements and process them. This switch will learn about but won’t save the VTP configuration in the running

configuration, and it won’t save it in NVRAM. Switches that are in VTP client mode will only

learn about and pass along VTP information—that’s it!

Transparent Switches in transparent mode don’t participate in the VTP domain or share its

VLAN database, but they’ll still forward VTP advertisements through any configured trunk

links. They can create, modify, and delete VLANs because they keep their own database—one

they keep secret from the other switches. Despite being kept in NVRAM, the VLAN database

in transparent mode is actually only locally significant. The whole purpose of transparent

mode is to allow remote switches to receive the VLAN database from a VTP server-configured

switch through a switch that is not participating in the same VLAN assignments.



85711.book Page 102 Thursday, September 27, 2007 10:35 AM



102



Chapter 2



Configure, verify, and troubleshoot a switch with VLANs



VTP only learns about normal-range VLANs, with VLAN IDs 1 to 1005; VLANs with IDs greater

than 1005 are called extended-range VLANs and they’re not stored in the VLAN database. The

switch must be in VTP transparent mode when you create VLAN IDs from 1006 to 4094, so it

would be pretty rare that you’d ever use these VLANs. One other thing: VLAN IDs 1 and 1002 to

1005 are automatically created on all switches and can’t be removed.

FIGURE 2.18



VTP modes

Server configuration: Saved in NVRAM



Server



Client



Client configuration: Not saved in NVRAM



Transparent



Transparent configuration: Saved in NVRAM



Rapid Spanning-Tree Protocol (RSTP) 802.1w

How would you like to have a good STP configuration running on your switched network

(regardless of the brand of switches) and have all the features we just discussed built in and

enabled on every switch? Absolutely—yes! Well then, welcome to the world of Rapid SpanningTree Protocol (RSTP).

Cisco created PortFast, UplinkFast, and BackboneFast to “fix” the holes and liabilities the

IEEE 802.1d standard presented. The drawbacks to these enhancements are only that they are

Cisco proprietary and need additional configuration. But the new 802.1w standard (RSTP)

addresses all these “issues” in one tight package—just turn on RSTP and you’re good to go.

Importantly, you must make sure that all the switches in your network are running the 802.1w

protocol for 802.1w to work properly!

It might come as a surprise, but RSTP actually can interoperate with legacy STP protocols.

Just know that the inherently fast convergence ability of 802.1w is lost when it interacts with

legacy bridges.



PVST

Understand that Cisco switches run what is called Per-VLAN Spanning-Tree (PVST), which

basically means that each VLAN runs its own instance of the STP protocol. If we typed show

spanning-tree, we’d receive information for each VLAN, starting with VLAN 1. So, say we’ve

got multiple VLANs, and we want to see what’s up with VLAN 2—we’d use the command

show spanning-tree vlan 2.



85711.book Page 103 Thursday, September 27, 2007 10:35 AM



2.9 Describe how VLANs create logically separate networks and the need for routing



103



IEEE 802.1Q

Created by the IEEE as a standard method of frame tagging, IEEE 802.1Q actually inserts a

field into the frame to identify the VLAN. If you’re trunking between a Cisco switched link

and a different brand of switch, you’ve got to use 802.1Q for the trunk to work.

It works like this: You first designate each port that is going to be a trunk with 802.1Q

encapsulation. The ports must be assigned a specific VLAN ID, which makes them the native

VLAN, in order for them to communicate. The ports that populate the same trunk create a

group with this native VLAN, and each port gets tagged with an identification number reflecting that, again, the default is VLAN 1. The native VLAN allows the trunks to carry information that was received without any VLAN identification or frame tag.

The 2960s support only the IEEE 802.1Q trunking protocol, but the 3560s will support

both the ISL and IEEE methods.

The basic purpose of ISL and 802.1Q frame-tagging methods is to provide interswitch

VLAN communication. Also, remember that any ISL or 802.1Q frame tagging is removed

if a frame is forwarded out an access link—tagging is used across trunk links only!



Exam Objectives

Understand the Rapid Spanning-Tree Protocol. The 802.1w STP standard (RSTP) addresses

all the problems found in the 802.1d STP protocol and is not Cisco proprietary. This is not

enabled on any Cisco switch by default, and if you enable this protocol, you should enable it on

all your switches for the fastest convergence times.

Understand the purpose and configuration of VTP. VTP provides propagation of the VLAN

database throughout your switched network. All switches must be in the same VTP domain.

Be able to define PVST. Per-VLAN Spanning-Tree; each VLAN runs its own instance of the

STP protocol.



2.9 Describe how VLANs create logically

separate networks and the need for

routing between them

Figure 2.19 shows how layer 2 switched networks are typically designed—as flat networks.

With this configuration, every broadcast packet transmitted is seen by every device on the network regardless of whether the device needs to receive that data or not.

By default, routers allow broadcasts to occur only within the originating network, while

switches forward broadcasts to all segments. Oh, and by the way, the reason it’s called a flat

network is because it’s one broadcast domain, not because the actual design is physically flat.

In Figure 2.19 we see Host A sending out a broadcast and all ports on all switches forwarding

it—all except the port that originally received it.



85711.book Page 104 Thursday, September 27, 2007 10:35 AM



104



Chapter 2



FIGURE 2.19



Configure, verify, and troubleshoot a switch with VLANs



Flat network structure



Host A



Now check out Figure 2.20. It depicts a switched network and shows Host A sending a

frame with Host D as its destination. What’s important is that, as you can see, that frame is

only forwarded out the port where Host D is located. This is a huge improvement over the old

hub networks, unless having one collision domain by default is what you really want. (Probably not!)

FIGURE 2.20

Host A



The benefit of a switched network

Host D



Now you already know that the largest benefit you gain by having a layer 2 switched network

is that it creates individual collision domain segments for each device plugged into each port on

the switch. This scenario frees us from the Ethernet distance constraints, so now larger networks

can be built. But often, each new advance comes with new issues. For instance, the larger the

number of users and devices, the more broadcasts and packets each switch must handle.

And here’s another issue: security! This one’s real trouble because within the typical layer 2

switched internetwork, all users can see all devices by default. And you can’t stop devices from

broadcasting, plus you can’t stop users from trying to respond to broadcasts. This means your

security options are dismally limited to placing passwords on your servers and other devices.



85711.book Page 105 Thursday, September 27, 2007 10:35 AM



2.9 Describe how VLANs create logically separate networks and the need for routing



105



But wait—there’s hope! That is, if you create a virtual LAN (VLAN). You can solve many

of the problems associated with layer 2 switching with VLANs, as you’ll soon see.

Here’s a short list of ways VLANs simplify network management:

Network adds, moves, and changes are achieved with ease by just configuring a port into

the appropriate VLAN.

A group of users that need an unusually high level of security can be put into its own

VLAN so that users outside of the VLAN can’t communicate with them.

As a logical grouping of users by function, VLANs can be considered independent from

their physical or geographic locations.

VLANs greatly enhance network security.

VLANs increase the number of broadcast domains while decreasing their size.

Coming up, I’m going to tell you all about switching characteristics and thoroughly describe

how switches provide us with better network services than hubs can in our networks today.



Broadcast Control

Broadcasts occur in every protocol, but how often they occur depends upon three things:

The type of protocol

The application(s) running on the internetwork

How these services are used

Some older applications have been rewritten to reduce their bandwidth appetites, but

there’s a new generation of applications that are incredibly bandwidth greedy that will consume any and all they can find. These bandwidth gluttons are multimedia applications that use

both broadcasts and multicasts extensively. And faulty equipment, inadequate segmentation,

and poorly designed firewalls seriously compound the problems that these broadcast-intensive

applications create. All of this has added a major new dimension to network design and presents a bunch of new challenges for an administrator. Positively making sure your network is

properly segmented so that you can quickly isolate a single segment’s problems to prevent

them from propagating throughout your entire internetwork is imperative! And the most

effective way to do that is through strategic switching and routing.

Since switches have become more affordable lately, a lot of companies are replacing their

flat hub networks with pure switched network and VLAN environments. All devices within a

VLAN are members of the same broadcast domain and receive all broadcasts. By default, these

broadcasts are filtered from all ports on a switch that aren’t members of the same VLAN. This

is great because you get all the benefits you would with a switched design without getting hit

with all the problems you’d have if all your users were in the same broadcast domain—sweet!



Security

Okay, I know. There’s always a catch, though right? Time to get back to those security issues.

A flat internetwork’s security used to be tackled by connecting hubs and switches with routers.

So, it was basically the router’s job to maintain security. This arrangement was pretty ineffective



85711.book Page 106 Thursday, September 27, 2007 10:35 AM



106



Chapter 2



Configure, verify, and troubleshoot a switch with VLANs



for several reasons. First, anyone connecting to the physical network could access the network

resources located on that particular physical LAN. Second, all anyone had to do to observe any

and all traffic happening in that network was to simply plug a network analyzer into the hub.

And similar to that last ugly fact, users could join a workgroup by just plugging their workstations into the existing hub. That’s about as secure as an open barrel of honey in a bear enclosure!

But that’s exactly what makes VLANs so cool. If you build them and create multiple broadcast groups, you have total control over each port and user! So, the days when anyone could

just plug their workstation into any switch port and gain access to network resources are history because now you get to control each port, plus whatever resources that port can access.

What’s more, with the new 2960/3560 switches, this actually happens automatically!

And it doesn’t end there, my friends, because VLANs can be created in accordance with

the network resources a given user requires, plus switches can be configured to inform a network management station of any unauthorized access to network resources. And if you need

inter-VLAN communication, you can implement restrictions on a router to make that happen. You can also place restrictions on hardware addresses, protocols, and applications.

Now we’re talking security—the honey barrel is now sealed, shrouded in razor wire, and

made of solid titanium!



Flexibility and Scalability

If you were paying attention to what you’ve read so far, you know that layer 2 switches only

read frames for filtering—they don’t look at the Network layer protocol. And by default,

switches forward all broadcasts. But if you create and implement VLANs, you’re essentially

creating smaller broadcast domains at layer 2.

What this means is that broadcasts sent out from a node in one VLAN won’t be forwarded

to ports configured to belong to a different VLAN. So, by assigning switch ports or users to

VLAN groups on a switch or group of connected switches, you gain the flexibility to add only

the users you want into that broadcast domain regardless of their physical location. This setup

can also work to block broadcast storms caused by a faulty NIC as well as prevent an intermediate device from propagating broadcast storms throughout the entire internetwork. Those

evils can still happen on the VLAN where the problem originated, but the device with the disease will be quarantined to that one ailing VLAN.

Another advantage is that when a VLAN gets too big, you can create more VLANs to keep

the broadcasts from consuming too much bandwidth—the fewer users in a VLAN, the fewer

users affected by broadcasts. This is all well and good, but you seriously need to keep network

services in mind and understand how the users connect to these services when you create your

VLAN. It’s a good move to try to keep all services, except for the email and Internet access that

everyone needs, local to all users whenever possible.

To understand how a VLAN looks to a switch, it’s helpful to begin by first looking at a

traditional network. Figure 2.21 shows how a network was created by using hubs to connect

physical LANs to a router.



85711.book Page 107 Thursday, September 27, 2007 10:35 AM



2.9 Describe how VLANs create logically separate networks and the need for routing



FIGURE 2.21



107



Physical LANs connected to a router

Hubs

Engineering



Sales



Shipping



Marketing



Finance



Management



Here, you can see that each network is attached with a hub port to the router (each segment also

has its own logical network number even though this isn’t obvious from looking at the figure).

Each node attached to a particular physical network has to match that network’s number in order

to be able to communicate on the internetwork. Notice that each department has its own LAN, so

if you needed to add new users to, let’s say, Sales, you would just plug them into the Sales LAN and

they would automatically be part of the Sales collision and broadcast domain. This design really

did work well for many years.

But there was one major flaw: What happens if the hub for Sales is full and we need to add

another user to the Sales LAN? Or, what do we do if there’s no more physical space where the

Sales team is located for this new employee? Well, let’s say there just happens to be plenty of

room in the Finance section of the building. That new Sales team member will just have to sit

on the same side of the building as the Finance people, and we’ll just plug the poor soul into

the hub for Finance.

Doing this obviously makes the new user part of the Finance LAN, which is very bad for

many reasons. First and foremost, we now have a major security issue. Because the new Sales

employee is a member of the Finance broadcast domain, the newbie can see all the same servers

and access all network services that the Finance folks can. Second, for this user to access the

Sales network services that they need to get their job done, they would have to go through

the router to log in to the Sales server—not exactly efficient!

Now let’s look at what a switch accomplishes for us. Figure 2.22 demonstrates how

switches come to the rescue by removing the physical boundary to solve our problem. It also

shows how six VLANs (numbered 2 through 7) are used to create a broadcast domain for each

department. Each switch port is then administratively assigned a VLAN membership, depending on the host and which broadcast domain it’s placed in.



85711.book Page 108 Thursday, September 27, 2007 10:35 AM



108



Chapter 2



FIGURE 2.22



Configure, verify, and troubleshoot a switch with VLANs



Switches removing the physical boundary



VLAN2 VLAN3 VLAN4 VLAN2 VLAN7 VLAN3 VLAN3 VLAN6 VLAN5 VLAN5 VLAN6 VLAN4



Provides inter-VLAN

communication and

WAN services

Marketing

Shipping

Engineering

Finance

Management

Sales



VLAN2

VLAN3

VLAN4

VLAN5

VLAN6

VLAN7



172.16.20.0/24

172.16.30.0/24

172.16.40.0/24

172.16.50.0/24

172.16.60.0/24

172.16.70.0/24



So now, if we needed to add another user to the Sales VLAN (VLAN 7), we could just assign

the port to VLAN 7 regardless of where the new Sales team member is physically located—

nice! This illustrates one of the sweetest advantages to designing your network with VLANs

over the old collapsed backbone design. Now, cleanly and simply, each host that needs to be

in the Sales VLAN is merely assigned to VLAN 7. And by using the new switches with the predefined macros, we can just use CNA and Smartports to configure the port to be a Desktop

connection and voilà! The port configuration is simply completed for us.

Notice that I started assigning VLANs with VLAN number 2. The number is irrelevant, but

you might be wondering what happened to VLAN 1? Well that VLAN is an administrative

VLAN, and even though it can be used for a workgroup, Cisco recommends that you use it for

administrative purposes only. You can’t delete or change the name of VLAN 1, and by default,

all ports on a switch are members of VLAN 1 until you change them.

Since each VLAN is considered a broadcast domain, it’s got to also have its own subnet

number (refer again to Figure 2.22). And if you’re also using IPv6, then each VLAN must also

be assigned its own IPv6 network number. So you don’t get confused, just keep thinking of

VLANs as separate subnets or networks.

Now let’s get back to that “because of switches, we don’t need routers anymore” misconception. Looking at Figure 2.22, notice that there are seven VLANs, or broadcast domains,

counting VLAN 1. The nodes within each VLAN can communicate with each other but not

with anything in a different VLAN because the nodes in any given VLAN “think” that they’re

actually in a collapsed backbone, as illustrated in Figure 9.21.

So, what handy little tool do we need to enable the hosts in Figure 9.23 to communicate to

a node or host on a different VLAN? You guessed it—a router! Those nodes positively need



85711.book Page 109 Thursday, September 27, 2007 10:35 AM



2.10 Configure, verify, and troubleshoot VLANs



109



to go through a router, or some other layer 3 device, just as when they’re configured for internetwork communication (as shown in Figure 9.21). It works the same way it would if we were

trying to connect different physical networks. Communication between VLANs must go

through a layer 3 device. So, don’t expect mass router extinction anytime soon!



Exam Objectives

Remember that hosts in a VLAN can only communicate with hosts in the same VLAN. If you

have multiple VLANs and need inter-VLAN communication, you must configure a router or buy

a more expensive layer 3 switch to provide the routing on the backplane of the switch.

Remember how to create a Cisco “router on a stick” to provide inter-VLAN communication.

You can use a Cisco FastEthernet of Gigabit Ethernet interface to provide inter-VLAN routing.

The switch port connected to the router must be a trunk port, then you must create virtual interfaces (subinterfaces) on the router port for each VLAN connecting. The hosts in each VLAN will

use this subinterface address as their default gateway address.



2.10 Configure, verify, and

troubleshoot VLANs

It may come as a surprise to you, but configuring VLANs is actually pretty easy. Figuring out

which users you want in each VLAN is not; it’s extremely time-consuming. But once you’ve

decided on the number of VLANs you want to create and established which users you want

to belong to each one, it’s time to bring your first VLAN into the world.

To configure VLANs on a Cisco Catalyst switch, use the global config vlan command. In

the following example, I’m going to demonstrate how to configure VLANs on the S1 switch

by creating three VLANs for three different departments—again, remember that VLAN 1 is

the native and administrative VLAN by default:

S1#config t

S1(config)#vlan ?

WORD

ISL VLAN

internal internal

S1(config)#vlan 2

S1(config-vlan)#name

S1(config-vlan)#vlan

S1(config-vlan)#name

S1(config-vlan)#vlan

S1(config-vlan)#name

S1(config-vlan)#^Z

S1#



IDs 1-4094

VLAN

Sales

3

Marketing

4

Accounting



85711.book Page 110 Thursday, September 27, 2007 10:35 AM



110



Chapter 2



Configure, verify, and troubleshoot a switch with VLANs



From the preceding, you can see that you can create VLANs from 2 to 4094. This is only

mostly true. As I said, VLANs can really only be created up to 1005, and you can’t use, change,

rename, or delete VLANs 1 and 1002 through 1005 because they’re reserved. The VLAN

numbers above that are called extended VLANs and won’t be saved in the database unless

your switch is set to VTP transparent mode. You won’t see these VLAN numbers used too

often in production. Here’s an example of setting my S1 switch to VLAN 4000 when my

switch is set to VTP server mode (the default VTP mode):

S1#config t

S1(config)#vlan 4000

S1(config-vlan)#^Z

% Failed to create VLANs 4000

Extended VLAN(s) not allowed in current VTP mode.

%Failed to commit extended VLAN(s) changes.



After you create the VLANs that you want, you can use the show vlan command to check

them out. But notice that, by default, all ports on the switch are in VLAN 1. To change the

VLAN associated with a port, you need to go to each interface and tell it which VLAN to be

a part of.



Remember that a created VLAN is unused until it is assigned to a switch port

or ports and that all ports are always assigned in VLAN 1 unless set otherwise.



Once the VLANs are created, verify your configuration with the show vlan command

(sh vlan for short):

S1#sh vlan

VLAN Name

Status

Ports

---- ----------------------------------------------------------1

default

active

Fa0/3, Fa0/4, Fa0/5, Fa0/6

Fa0/7, Fa0/8, Gi0/1

2

Sales

active

3

Marketing

active

4

Accounting

active

[output cut]



This may seem repetitive, but it’s important, and I want you to remember it: You can’t

change, delete, or rename VLAN 1 because it’s the default VLAN and you just can’t change

that—period. It’s the native VLAN of all switches by default, and Cisco recommends that you

use it as your administrative VLAN. Basically, any packets that aren’t specifically assigned to

a different VLAN will be sent down to the native VLAN.

In the preceding S1 output, you can see that ports Fa0/3 through Fa0/8 and the Gi0/1

uplink are all in VLAN 1, but where are ports 1 and 2? Ports one and two are trunked. Any